DOD battles increasingly virulent cyberattacks

DOD attempts to fight spear phishing scams

Jan 08, 2007

The Defense Department continues to battle increasingly sophisticated attacks against its information systems and networks, including significant and widespread attempts to penetrate systems with targeted, socially engineered e-mail messages in a technique known as spear phishing.

According to internal documents and DOD officials, the department has fought back with requirements that users log on to networks with a Common Access Card (CAC) that electronically verifies their identities and digitally signs e-mail messages with the key contained on that card.

It has also required the use of plain text e-mail messages and converts HTML messages to plain text because HTML can contain programming code that plants keystroke loggers, viruses and other malware on computers, according to a Joint Task Force-Global Network Operations (JTF-GNO) presentation on spear phishing awareness training that all DOD employees and contractors must complete by Jan. 17.

Spear phishing refers to the practice of sending e-mail messagess to service members, DOD civilian personnel and contractors. Unlike broad phishing efforts, in which scammers send messages to thousands or millions of recipients purporting to be from banks, Web sites or other organization, spear phishing narrowly targets a specific organization — in this caseDOD. It is marked by the phishers’ access to real DOD documents and use of subject lines referring to real operations or topics.

The Defense Security Service, which supports contractor access to DOD networks, said in a bulletin sent to contractors in October that JTF-GNO “has observed tens of thousands of malicious e-mails targeting soldiers, sailors, airmen and Marines; U.S. government civilian workers; and DOD contractors, with the potential compromise of a significant number of computers across the DOD.”

Lt. Gen. Steve Boutelle, the Army’s chief information officer, mandated the use of CACs in a message sent to all commands in Februrary 2006. Even at that point, the threat from outside attackers was escalating rapidly, according to one message he sent then.

The Army expects attacks to continue, according to a statement provided by Boutelle’s office. “As both the sophistication and availability of technology increase, we expect attacks and intrusions to increase,” it states.

A JTF-GNO spokesman said the DOD backbone network, the Global Information Grid, is scanned millions of times a day by outsiders, but he declined to characterize the type of attacks DOD networks face. DOD also declined to identify the source of the attacks.

In a presentation to the AFCEA LandWarNet conference last summer, Lee LeClair of the Army’s Network Enterprise Technology Command/9th Signal Command, said U.S. military networks are faced with attacks by state-sponsored teams that control botnets and engage in spear phishing.

JTF-GNO illustrated the sophistication of the attacks that DOD faces in a spear phishing awareness training presentation obtained by Federal Computer Week. That presentation shows a faked message that appears to come from the operations division at the Pacific Command. It includes a PowerPoint attachment concerning the Valiant Shield exercise held last summer.

Centaurs and honeynetsIn 2000, the Defense Information Systems Agency quietly launched Project Centaur, a data-mining and pattern discovery program to identify attack trends, scopes and methods used against its networks.

Project Centaur, as described by DISA in its 2003 budget documents, was designed to use those techniques to automatically correlate the location of sophisticated network attacks, determine the scope and scale of the intrusions, and coordinate response actions. The project was also mentioned in DISA’s 2004 budget documents, but since then, DISA has eliminated any description of the project from publicly available documents.

DISA and the Joint Task Force-Global Network Operations have also fielded diversion networks called honeynets to keep intruders away from operational networks, according to a presentation at the 2005 Army Information Technology conference by Col. Carl Hunt, director of technology and analysis at JTF-GNO. Aside from this briefing, there is little publicly available information about DOD honeynets. The term generally refers to a network that makes intruders think they’ve successfully penetrated their target. — Bob Brewin